CVE-2025-39721
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-03-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to a use-after-free error when the affected QAT driver is repeatedly loaded and unloaded. Such crashes can lead to system instability, downtime, and potential loss of data or service availability.
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's QAT driver when repeatedly loading and unloading a device-specific QAT driver (like qat_4xxx) in a tight loop. A power management interrupt can trigger just before the device-specific driver is unloaded while the core driver remains loaded. Because the driver uses a shared workqueue, a deferred routine from the device-specific driver may still be pending and execute after the driver is unloaded, causing it to dereference freed memory. This leads to a use-after-free scenario resulting in a kernel crash (page fault). The fix involves flushing the misc workqueue during device shutdown to ensure all pending work is completed before unloading the driver.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for kernel crashes or page faults related to the intel_qat driver, especially messages indicating a use-after-free scenario during device shutdown. Look for kernel logs containing errors like 'BUG: unable to handle page fault' and traces involving 'pm_bh_handler' in the intel_qat module. Commands such as 'dmesg | grep intel_qat' or 'journalctl -k | grep intel_qat' can help identify these crash logs.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the misc workqueue (qat_misc_wq) is flushed during device shutdown to complete all pending work items before unloading the device-specific QAT driver. This prevents use-after-free crashes. Applying the updated Linux kernel version that includes this fix is recommended. Note that flushing the workqueue may slightly increase shutdown latency but ensures system stability.